[an error occurred while processing this directive]

ECS 2.0 – Configure a namepace for a tenant

Table of Contents

Introduction

Namespaces provide the mechanism by which multiple tenants can access the ECS object store and ensures that the objects and buckets written by users of a tenant are segregated from users of other tenants.

This article introduces some concepts around tenants and namespace settings:
and describes the operations required to configure a namespace using the ECS portal:

While the configuration operations described in this article use the ECS portal, the concepts described in Understanding tenants and Understanding namespace settings apply whether you are using the portal or the REST API.

Back to Top

Understanding tenants

ECS supports access by multiple-tenants, where each tenant is defined by a namespace and the namespace has a set of configured users who can store and access objects within the namespace.

Namespaces are global resources in ECS and a System Admin or Namespace Admin accessing ECS at any federated VDC can configure the namespace settings. In addition, object users assigned to a namespace are global and can access the object store from any federated VDC.

The key characteristic of a namespace is that users from one namespace cannot access objects belonging to another namespace. In addition, ECS enables an enterprise to configure namespaces and to monitor and meter their usage, and enables management rights to be granted to the tenant so that it can perform configuration and monitoring and metering operations.

It is also possible to use buckets as a means of creating sub-tenants. The bucket owner is the sub-tenant administrator and can assign users to the sub-tenant using access control lists. However, sub-tenants do not provide the same level of segregation as tenants; any user belonging to the tenant could be assigned privileges on a sub-tenant, so care must be taken when assigning users.

The following scenarios are supported:
Enterprise single tenant
All users access buckets and objects in the same namespace. Sub-tenants (buckets) can be created to allow a subset of namespace users to access the same set of objects. A sub-tenant could be a department within the enterprise.
Enterprise multi tenant
Different departments within an organization are assigned to different namespaces and department users are assigned to each namespace.
Cloud Service Provider single tenant
A single namespace is configured and the Service Provider provides access to the object store for users within the enterprise or outside the enterprise.
Cloud Service Provider multi tenant
The Service Provider assigns namespaces to different companies and assigns an administrator for the namespace. The namespace administrator for the tenant can then add users and can monitor and meter the use of buckets and objects.

The features provided to enable management of tenants are described in Manage a tenant.

Each tenant has access to the replication groups made available by the System Admin. Depending on the access patterns of a tenant, they may require replication groups that include sites in specific geographies. For example, if a client tenant is located in China, they might prefer to access replication groups that include VDCs located in China.

Back to Top

Understanding namespace settings

A namespace provides a mechanism by which objects and buckets can be segregated so that an object in one namespace can have the same name as an object in another namespace. ECS will always know which object is required by the namespace qualifier. The namespace is also configured with attributes that define which users can access the namespace and what characteristics the namespace has. You can think of an ECS namespace as a tenant.

Users with the appropriate privileges can create buckets, and can create objects within buckets, in the namespace.

The way in which namespace and bucket names are used when addressing objects in ECS is described in Addressing ECS object storage and using the Base URL.

An ECS namespace has the following attributes:
Default Replication Group
The replication group in which a bucket will be created if no replication group is specified in a request. You can find out more information about the configuration of replication groups in Configure storage pools, VDCs, and replication groups
Namespace Administrators
Users assigned to the Namespace Admin role for the namespace. The Namespace Admin is an ECS management user and can be a local or domain user.
User Mappings
The domains, groups, and attributes that identify the users who can be assigned as object users for a namespace. The way in which users are added to ECS and mapped to a specific namespace is described in Add users and assign roles.
Allowed (and Disallowed) Replication Groups
The ECS Management REST API enables a client to specify which replication groups can be used by the namespace. This is not available from the ECS portal.
It is also possible to specify retention policies and specify a quota for the namespace. Further information on using these features is provided in Manage a tenant.
Quota
When enabled, a quota size set against the namespace can cause an event to be logged (a soft quota) or access to be blocked (hard quota) when a specified storage limit is reached.
Retention Policy
A namespace can have a number of associated retention polices, where each policy defines a retention period. By applying a retention policy to a number of objects, rather than applying a retention period directly, a change the retention policy will cause the retention period to be changed for the complete set of objects to which the policy has been applied. A request to modify an object that falls before the expiration of the retention period will be disallowed.
Back to Top

Working with namespaces at the ECS portal

The namespace portal page, Manage > Namespace, enables namespaces to be created and provides a namespace table which lists the namespaces that exist and allows them to be edited.

Namespace management page

The namespace table comprises the following fields:

Back to Top

Create and configure a namespace

You can create a new namespace or change the configuration of an existing namespace at the Manage > Namespace page.

Before you begin

  • To perform this operation, you must be assigned to the System Admin role in ECS.
  • A replication group must exist. The replication group provides access to storage pools in which object data is stored.
  • If you want to allow domain users to access the namespace, an authentication provider must have been added to ECS. In addition, if you intend to configure domain object users, you should plan how you want to map users into the namespace. You can refer to Add users and assign roles for more information on mapping users.

You should ensure you are familiar with the general information about namespaces provided in Understanding namespace settings.

Procedure

  1. At the ECSportal, select Manage > Namespace
  2. To create a new namespace, select New Namespace. To edit the configuration of an existing namespace, choose the Edit action associated with the existing namespace.
  3. Specify appropriate value for each of the fields.
    Guidance on the settings for each field is provided in the table below.
  4. Enable and configure a quota.
    1. Set the Quota control to Enabled if you want to set a quota for the namespace.
    2. Choose Notification Only or Block Access
      If you choose to block access when a specified storage limit is reached, you can also specify a percentage of that limit at which a notification will be sent.
  5. Add and Configure Retention Policies.
    1. In the Retention Policies area, select Add to add a new policy.
    2. Enter a name for the policy.
    3. Specify the period for the Retention Policy.
      This can be a value in minutes or you can select the Infinite checkbox to ensure that buckets to which this retention policy is assigned are never deleted.
  6. Specify an AD/LDAP domain whose users can log in to ECS and perform administration tasks for the namespace.
    Enter the name of the domain and specify groups and attributes to provide finer grained control over the domain users that will be allowed to access ECS in the current namespace.
    To perform more complex mappings using groups and attributes, you should refer to Add users and assign roles
  7. Select Save.
Back to Top
[an error occurred while processing this directive]